Include Legal Persons
Adam Cooper brought this up: “Why are we not including Legal Persons? Business identity is also important.“
Comments (10)
-
-
What I am referring to is that an identity may not always be a representation of a natural person. In some cases, as in EU law, a legal person may act on behalf of an organisation (e.g. a business). The eIDAS Regulation is an example of this across the EU where an entity may authenticate legitimately as a legal person without disclosing anything other than the legal name of the organisation and a unique identifier, this would then be used to transact with the relying party. A natural person may represent a legal person but this is not always the case. Commission Implementing Regulation (EU) 2015/1501 contains within its annex definitions of attribute sets for the unique identification of natural and legal persons. Given that this is established in EU law we could do worse than refer to it - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AJOL_2015_235_R_0001
-
reporter I can imagine how we could express the fact that a natural person represents a legal entity, but I’m currently lacking the understanding how this would work for a legal entity (or a machine acting on behalf of this entity).
How does a legal entity authenticate itself? I’m asking because all data in an OIDC assertion are about a certain subject (sub claim) that the OP somehow authenticated.
-
“Legal Person in legal context typically is a person (or less ambiguously, a legal entity)—whether human or non-human—that is recognized as having certain privileges and obligations such as the legal capacity to enter into contracts, to sue, and to be sued.” (https://en.wikipedia.org/wiki/Legal_person) Wikipedia also has a List of Legal Entities by Country: https://en.wikipedia.org/wiki/List_of_legal_entity_types_by_country
So perhaps the term Legal Entity which would appear to cover any “Legally” defined entity.
Organization seems a better fit than “enterprise” as not all Organizations are “Businesses”. (NGOs, Non-profit, etc)
A legal “Organization” can only act by way of a Natural Person, which is an Agent of the organization, as the Organization can not sign a document or file a legal motion.
-
Legal Entity is a good term. It is also true that in most cases a Natural Person will be acting for the Legal Entity.
-
Something is getting lost here. As i understand it, GDPR only applies to natural persons (some lawyer might step in here.) So it is important when describing purpose and other fields to know what sort of entity is being authenticated. Somehow i think the point of this doc was natural persons. Which ever it is, the doc needs to clarify its purpose.
-
I believe that you must be referring to the GDPR Recital 14 “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
GDPR does NOT apply to “Personal data” about a company.
Personal Data only refers to Natural Persons. Companies (Organizations) do not have personal data, but they do have confidential data.
-
Which is the problem - nothing i have seen in OpenID anywhere actually allows a relying party to determine if the sub, or anyother id should be treated as a natural person. Yet this is a legally critical distinction for that relying party. That is why if these new terms are included, it must crystal clear to the relying party if legal protections (such as the GDPR) should apply to the entity behind the identifier.
-
Post implementer’s draft.
-
reporter - changed status to closed
- Log in to comment
There is a lot of confusion in this area.